I want to fetch list of all members from ad security group through adf pipeline
I came across this Api method : https://graph.microsoft.com/v1.0/groups/{group id}/members
can you guys help me how I can run this Api through web activity by adf pipeline.
Also any permissions or access I need to have before running this Api.
Thanks for your help and suggestions
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application and granted API permissions like below:
Generate the access token like below by creating the web activity:
URL: https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
Method : POST
Body: grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>&scope=https://graph.microsoft.com/.default
Header: Content-Type:application/x-www-form-urlencoded
I generated access token successfully like below:
I created Azure AD security Group and added members:
To fetch list of all members from Azure AD security group, use the query in web activity 2 like below:
https://graph.microsoft.com/v1.0/groups/GroupID/members
In Authentication, use this Dynamic content Bearer #{activity('Web1').output.access_token}
I am able to fetch list of all members from Azure AD security group successfully like below:
Reference:
List group members - Microsoft Graph v1.0 | Microsoft Learn
Related
Using the Azure Golang ARM SDK, I am able to fetch all resources under a subscription, except for the Azure Organization.
Is there a REST API, or Golang library that allows to programmatically fetch the Azure Organization with which the subscription is associated?
Note that the only parameter I can provide is the Subscription Id.
I tried to reproduce the same in my environment and got the results successfully like below:
I created an Application by granting API permission like below:
I generated the access token using below parameters:
GET https://login.microsoftonline.com/cdf429fe-37a2-4a79-8e40-7adbac3f8552/oauth2/v2.0/token
client_secret: client_secret
grant_type:client_credentials
scope:https://management.azure.com/.default
client_id:18e97655-fba5-4644-8abc-XXXXXXX
To fetch the all the Azure AD B2C tenant resources in a subscription, try the below command:
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.AzureActiveDirectory/b2cDirectories?api-version=2021-04-01
To fetch Azure Organization by Subscription Id, try the below command:
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Confluent/organizations?api-version=2021-12-01
I'm trying to add an Azure AD security group (without mail/upn) to a Devops Permission with the rest api.
Is this possible?
In this page https://learn.microsoft.com/en-us/rest/api/azure/devops/graph/users/create?view=azure-devops-rest-6.0#add-an-aad-user-by-oid I see the following
The body of the request must be a derived type of GraphUserCreationContext:
GraphUserMailAddressCreationContext - Create a new user using the mail address as a reference to an existing user from an external AD or AAD backed provider.
GraphUserOriginIdCreationContext - Create a new user using the OriginID as a reference to an existing user from an externalAD or AAD backed provider.
GraphUserPrincipalNameCreationContext - Create a new user using the principal name as a reference to an existing user from an external AD or AAD backed provider.
The groups are created as universal security groups on our onprem AD, and synced to Azure AD.
I don't have a mailadress nor a UPN; but I can't find more info on what exactly OriginID is.
Edit; OriginID seems to work for a user, but not for a group.
To add an Azure AD group to Azure DevOps, you need to use the REST API Groups - Create.
POST https://vssps.dev.azure.com/{organization}/_apis/graph/groups?api-version=6.0-preview.1
Click this link for an example. The originId in the request body is the Object id of your Azure AD group.
The REST API link your provide in the question is to create a user, not a group.
I ended up connecting with the Azure commandlets to get my ObjectID, as #jane-ma-msft suggested.
I am writing an web app where the user passes a bearer token acquired from login.microsoftonline.com. The app uses the token to connect to the Azure AD REST API at management.azure.com. The app successfully executes a GET https://management.azure.com/subscriptions?api-version=2016-09-01 request. The response is {"value":[]}, indicating no subscriptions. This looks correct to me, because of our specific corporate environment. When I login from the azure CLI, I must use az login --allow-no-subscriptions to avoid "no subscriptions found" error messages.
My challenge is that I want to get a list of AD groups from the REST API. The documentation indicates that the URL format is:
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{serviceName}/groups?api-version=2019-12-01
I do not see how to form a URL with no subscription ID. Is there a way to do so?
You could not list the Azure AD groups via Azure REST API(https://management.azure.com), Azure REST API is for Azure resources, the api Group - List By Service you provided is used to list the groups in API Management service, not AAD groups.
To list AAD groups, your option is to use Microsoft Graph - List groups(https://graph.microsoft.com, it is Recommended)
GET https://graph.microsoft.com/v1.0/groups
or Azure AD Graph - Get groups(https://graph.windows.net).
GET https://graph.windows.net/myorganization/groups?api-version=1.6
How can I fetch all users from my azure active directory ? I need some API for it.
You can use the Graph API list users
GET https://graph.microsoft.com/v1.0/users
Please try with below api:
Get https://vssps.dev.azure.com/{org name}/_apis/graph/users?subjectTypes=aad&api-version=5.1-preview.1
Note: Specify the subjectTypes as aad.
Then it will fetch all users which are members of organization, also located in the AAD tenant that connected with the azure devops organization.
This is the sample response of mine:
I am trying to populate the Claims token with User Group Information that I will fetch from Graph API. This is be specifically useful to port an existing Windows auth application to Azure. All my IsInRole() functions will work as is. I tried following this post
Populate Claims Information from Graph API
but unless I update the app manifest with groupMembershipClaims, I may not be able to populate the groups information. I am trying to avoid this since I am not a Global Admin on my corporate tenant. Is there any more sample codes that I can follow to do the same?